- More than 20% of the healthcare organizations recently surveyed by the Ponemon Institute reported increased patient mortality rates after experiencing a cyberattack, according to a study released Thursday from the research group and Proofpoint, a cybersecurity compliance company.
- Delayed procedures and tests were the most commonly reported consequences of cyberattacks, along with longer patient stays, according to the study.
- Ransomware had the most negative impact on patient care, with almost two-thirds of organizations saying that an attack resulted in procedure or test delays. Six in 10 reported longer patient stays as a result of ransomware attacks, the study found.
Cybercriminals have targeted healthcare providers for their troves of detailed patient data, with attacks hampering hospital operations — like the April cyberattack at Tenet facilities that disrupted acute patient care.
Universal Health Services experienced a similar cybersecurity incident in 2020, which cost the chain $67 million after it had to divert ambulance traffic and schedule patient procedures at competing facilities due to the incident.
The Ponemon Institute study, which surveyed 641 healthcare IT and security practitioners, found that 89% of the organizations surveyed experienced a cyberattack in the past year and among them had an average of 43 attacks.
Cyber incidents can obstruct operations and patient care, and the four most common cyberattacks — cloud compromises, ransomware, supply chain and business email compromises — resulted in increased patient mortality rates for 23% of the organizations experiencing them.
Cyberattacks resulted in poor patient outcomes for 57% of those surveyed and increased complications from medical procedures for nearly half of them, according to the study.
Beyond impacting patient care, cyberattacks can also prove costly for healthcare organizations.
The average total cost for the most expensive cyberattack experienced in the study was $4.4 million, including $1.1 million in lost productivity.
Organizations can take steps to protect themselves from attacks with training and awareness programs and employee monitoring, as “organizations recognize careless and negligent employees pose a significant risk,” the study said.